RE: NBAR & IP NBAR protocol-discovery

From: Church, Chuck (cchurch@wamnetgov.com)
Date: Fri Jul 09 2004 - 14:11:00 GMT-3

Brian,

        Keep in mind NBAR isn't a full blown IDS that looks at every
single byte of a packet. Not enough CPU in a router to do that. NBAR
does look at just port numbers for the most part, with a few exceptions.
If you compare a 'sh ip nbar port-map' with a 'sh ip nbar proto', you'll
see some protocols like kazaa2 (assuming you're running an image that
supports kazaa2) don't have a port mapping. These 'portless' protocols
supposedly can be detected on any port, as it must inspect just enough
of the layer 3/4 header to know it's kazaa.

Chuck Church
Wam!Net Government Services - D&I Team
Lead Design Engineer
CCIE #8776, MCNE, MCSE
1210 N. Parker Rd.
Greenville, SC 29609
Office: 864-335-9473
Cell: 703-819-3495
cchurch@wamnetgov.com
PGP key:
http://pgp.mit.edu:11371/pks/lookup?op=index&search=cchurch%40wamnetgov.
com

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Jensen, Brian D.
Sent: Friday, July 09, 2004 12:09 PM
To: 'Koen Peetermans'; 'James Marinas'; KWygand@customonline.com;
ccielab@groupstudy.com
Subject: RE: NBAR & IP NBAR protocol-discovery

Hi,

I am using NBAR to match certain kinds of traffic, such as Napster. I
got a call from a user who found that they couldn't get to a website.
Turns out, I was using Nbar to drop napster traffic with a policy-map
and the website was using port 8888. I looked up the ports matched by
Nbar for Naptster:
port-map napster tcp 6699 8875 8888 7777 6700 6666 6677 6688 4444 5555

So, can it be that the only thing Nbar is doing is matching ports? I
could just as easily written an access-list to do the same thing.
Thoughts?

Thanks,

Brian

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Koen Peetermans
Sent: Friday, July 09, 2004 5:12 AM
To: 'James Marinas'; KWygand@customonline.com; ccielab@groupstudy.com
Subject: RE: NBAR & IP NBAR protocol-discovery

Actually, Apparantly "match protocol dlsw" would only match DIRECT
ENCAPSULATION dlsw (not TCP). But indeed it is a serious gotcha....

Kind regards,

Koen.

>Which makes me wonder why IOS let you choose 'match protocol dlsw'
>under the class map if it isn't going to do anything.

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
James Marinas
Sent: vrijdag 9 juli 2004 6:28
To: KWygand@customonline.com; ccielab@groupstudy.com
Subject: RE: NBAR & IP NBAR protocol-discovery

'ip nbar protocol-discovery' isn't needed and you're right about it
being used for gathering protocol statistics on the interface.

In terms of gotchas... It seems that doing a 'match ip protocol____'
uses NBAR's port map. Check out this DLSW example:

class-map match-all DLSW
match protocol dlsw

policy-map POLICY
class DLSW
set precedence 5

interface FastEthernet0/0
service-policy input POLICY

NOTICE THAT THE POLICY MAP ISN'T MATCHING ANY PACKETS

r14#sh policy-map inter fast 0/0
FastEthernet0/0

Service-policy input: POLICY

Class-map: DLSW (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol dlsw
QoS Set
precedence 5
Packets marked 0

THIS IS BECAUSE DLSW IS NOT IN THE PORT MAP

r14# sh ip nbar port-map | begin port-map d port-map dhcp udp 67 68
port-map dns udp 53 port-map dns tcp 53

Which makes me wonder why IOS let you choose 'match protocol dlsw' under
the class map if it isn't going to do anything.

Now, I'm going to modify NBAR's port-map:

r14(config)#ip nbar port-map custom-01 tcp 2065 r14(config)#end r14#
*Mar 1 02:46:06.031: %SYS-5-CONFIG_I: Configured from console by console
r14#sh ip nbar port-map | begin port-map custom port-map custom-01 udp 0
port-map custom-01 tcp 2065

And I'm going to modify the class-map:

class-map match-all DLSW
match protocol custom-01

When I view the policy-map on the interface, it is marking packets as it
should:

r14#sh policy-m inter fast 0/0
FastEthernet0/0

Service-policy input: POLICY

Class-map: DLSW (match-all)
26 packets, 1946 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol custom-01
QoS Set
precedence 5
Packets marked 26

Another potential gotcha is FTP. r14#sh ip nbar port-map | begin
port-map ftp port-map ftp tcp 21

Notice that ftp-data's port isn't mapped.

Which brings me to the conclusion that if you are using the 'match
protocol', make sure it's in the 'sh ip nbar port-map'. If not, map it
with one of the custom mappings or better yet... use an access-list:

access-list 101 permit tcp any any eq ftp access-list 101 permit tcp any
any eq ftp-data access-list 102 permit tcp any any eq 2065

Hope this helps someone.

>From: "Kenneth Wygand" <KWygand@customonline.com> >Reply-To: "Kenneth
Wygand" <KWygand@customonline.com> >To: <ccielab@groupstudy.com>
>Subject: NBAR & IP NBAR protocol-discovery >Date: Thu, 8 Jul 2004
22:03:00 -0400 > >Hey everyone, > >When using NBAR through a class-based
queuing mechanism (match ip protocol ____ ), do you need to have the
command "IP nbar protocol-discovery" on the associated interface, or is
this command only used for gathering protocol statistics on the
interface? > >I know "ip cef" is required when using NBAR... are there
any other "gotcha's" that are important to know for variations of NBAR
implementations? > >Thanks! >Ken >
>_______________________________________________________________________
>Please help support GroupStudy by purchasing your study materials from:
>http://shop.groupstudy.com > >Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

------------------------------------------------------------------------

Get tips for maintaining your PC, notebook accessories and reviews in
Technology 101.

This archive was generated by hypermail 2.1.4 : Sun Aug 01 2004 - 10:11:51 GMT-3